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Abstract. Generalised Symbolic Trajectory Evaluation (GSTE) is a high-capacity for- 
mal verification technique for hardware. GSTE is an extension of Symbolic Trajectory 
Evaluation (STE). The difference is that STE is limited to properties ranging over finite 
time-intervals whereas GSTE can deal with properties over unbounded time. 

GSTE uses abstraction, meaning that details of the circuit behaviour are removed from 
the circuit model. This improves the capacity of the method, but has as down-side that 
certain properties cannot be proven if the wrong abstraction is chosen. 

A semantics for GSTE can be used to predict and understand why certain circuit 
properties can or cannot be proven by GSTE. Several semantics have been described for 
GSTE by Yang and Seger. These semantics, however, are not faithful to the proving 
power of GSTE-algorithms, that is, the GSTE-algorithms are incomplete with respect to 
the semantics. The reason is that these semantics do not capture the abstraction used in 
GSTE precisely. 

The abstraction used in GSTE makes it hard to understand why a specific property 
can, or cannot, be proven by GSTE. The semantics mentioned above cannot help the user 
in doing so. So, in the current situation, users of GSTE often have to revert to the GSTE 
algorithm to understand why a property can or cannot be proven by GSTE. 

The contribution of this paper is a, faithful semantics for GSTE. That is, we give a simple 
formal theory that deems a property to be true if-and-only-if the property can be proven 
by a GSTE-model checker. We prove that the GSTE algorithm is sound and complete 
with respect to this semantics. Furthermore, we show that our semantics for GSTE is a 
generalisation of the semantics for STE and give a number of additional properties relating 
the two semantics. 
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Figure 1: A memory cell 
1. Introduction 

The rapid growth in hardware complexity has led to a need for formal verification 
of hardware designs to prevent bugs from entering the final silicon. Model checking is a 
verification method in which a model of a system is checked against a property, describing 
the desired behaviour of the system over time. Today, all major hardware companies use 
model checkers in order to reduce the number of bugs in their designs. 

1.1. Symbolic Trajectory Evaluation. Symbolic Trajectory Evaluation (STE) [T2] is a 
high-performance model checking technique based on simulation. STE combines three- 
valued simulation (using the standard values and 1 together with the extra value X, 
"don't know") with symbolic simulation (using symbolic expressions to drive inputs). STE 
has been extremely successful in verifying properties of circuits containing large data paths 
(such as memories, FIFOs, and floating point units) that are beyond the reach of traditional 
symbolic model checking [Tl [TP] H2]. 

Consider the circuit in Figure [H The circuit consists of two AND-gates, an OR-gate, a 
register (depicted by the letter R), and an inverter (depicted by the black dot). The register 
has output node reg and input node reg'. The value of the output of the register at time 
t + 1 is the value of its input at time t. The memory cell can be written with the value at 
node in by making node set high. 

In STE, circuit specifications are assertions of the form A ==>■ C. Here, A is called the 
antecedent and C the consequent. For example, an STE-assertion for the memory cell is: 

(in is a) and (set is 1) ==> N(out is o) 

Here a is a symbolic constant , which can take on the value or 1, and in, set and out are 
node names. N is the next-time operator. The assertion states that when node in has value 
o, and node set has value 1, then at the next point in time, node out must have value a. 



The name symbolic constant is used to indicate that the variable keeps a constant value over different 
points in time. In plain STE, such variables are called symbolic variables. As this paper deals with GSTE, 
we will use the GSTE terminology even when we discuss plain STE. 
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1.2. Generalised Symbolic Trajectory Evaluation. One of the main disadvantages of 
STE is that it can only deal with properties ranging over a finite number of time-steps. 
Generalised Symbolic Trajectory Evaluation (GSTE) |X6|, \TE[ [TBI [T7] is an extension of STE 
that can deal with properties ranging over unbounded time. 

In GSTE, circuit properties are given by assertion graphs. For example, an assertion 
graph for the memory cell is: 



In the assertion graph, each edge is labelled with a pair A/C. As in STE, A is called the 
antecedent and C is called the consequent. The syntax of A and C is like the syntax of 
the antecedent and consequent in STE without the next-time operator N. The N operator 
can not be used because each edge only represents a single time-point. A dot (•) means an 
empty antecedent or consequent. 

The assertion graph above states that if we write value a to the memory cell, and then 
for arbitrary many time-steps we do not write, the memory cell still contains value a. 

Each finite path, starting in the initial vertex in it of the graph, represents an STE 
property. For instance, the finite paths through the assertion graph above represent the 
following STE properties: 

(in is a) and (set is 1) =^> N(outisa) 

(in is a) and (set is 1) and N(set is 0) =>■ NN(out is a) 

(in is a) and (set is 1) and N(set is 0) and NN(set is 0) => NNN(outisa) 

Each of these assertions can be proven by an STE model checker. But, as the set of 
assertions is infinite, we cannot use plain STE to prove all of them. However, if we use 
GSTE to prove that the circuit satisfies the above assertion graph, it follows that all STE- 
assertions represented by the assertion graph hold as well. 

Note that in GSTE, just like in STE, the initial values of registers are ignored. 

1.3. Earlier work on semantics for GSTE. A semantics for GSTE can be used to 
predict and understand why certain circuit properties can or cannot be proven by GSTE. 
In [T71 [H] three semantics for GSTE are distinguished: (1) the strong semantics, (2) the 
normal semantics, and (3) the fair semantics. The semantics have in common that a circuits 
satisfies an assertion-graph if it satisfies all appropriate paths in the assertion graph. The 
meaning of appropriate differs over the three semantics, as we explain in the following 
paragraphs. As in [5], we refer to this class of semantics as the V '-semantics, because these 
semantics really consider all concrete paths, rather than approximating this quantification 
by applying abstraction. 

In the strong semantics, a circuit satisfies a GSTE assertion graph if-and-only-if the 
circuit satisfies all STE-assertions corresponding to finite paths in the assertion graph. For 
instance, as the memory cell satisfies the set of finite assertions above, it also satisfies 
assertion graph (jl.ip . 

Consider the following assertion graph: 



set is 0/- 




(1.1) 




(1.2) 
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Intuitively, we might want the above assertion graph to state that if at some time-point 
node out has value a, and just before that, node set was high, then at this time-point node 
in should have value a. This is an example of a backwards property, that is, a property in 
which a consequent depends on an antecedent at a later time-point. 

The strong semantics cannot deal with such backwards properties. For instance, for 
the above property, the path starting in vertex in it and ending in vertex v corresponds to 
the assertion 

(set is 1) (in is a) 

This assertion is, of course, not true for the memory cell. But, any run of the circuit that 
makes in is a fail, makes N(out is a) fail as well. So, intuitively, the assertion is not satisfied 
because a consequent failed before the antecedent it depended on could fail. 

In the normal semantics, a circuit satisfies a GSTE assertion graph if-and-only-if the 
circuit satisfies the STE-assertions corresponding to all infinite paths in the assertion graph. 
Therefore, the normal semantics can deal with backwards properties as well. For instance, in 
assertion graph (|1.2[) . there is only one infinite path. This path corresponds to the following 
assertion: 

(set is 1) and N(out is a) (in is a) 

As any circuit trace that satisfies the antecedent satisfies the consequent as well, this asser- 
tion is satisfied by the circuit. Thus, in the normal semantics, the GSTE assertion graph is 
satisfied. 

Finally, the need for the fair semantics is illustrated by the following example. Consider 
the assertion graph: 



(set is 1) / (in is a) 

The assertion graph above states that if at some time-point node out has value a, and before 
that, for a period of time no values were written to the memory-cell, and before that, set 
was high, then at this time-point in should have value a. 

In the normal semantics, the memory cell circuit does not satisfy this assertion graph. 
Consider the infinite path starting in in it and then cycling at the self-loop at v for ever. 
This path corresponds to the infinite assertion: 

(set is 1) and N(set is 0) and NN(set is 0) and . . . ==>■ in is a 

For a given a, this assertion can be falsified by the trace in which value —>a is written at 
time 0, and is kept in memory since then. 

In the fair semantics for GSTE, this problem is solved by selecting a set of fair edges. 
The semantics only considers paths that visit every fair edge infinitely often. For instance, 
if in the above assertion graph the edge from vertex w to itself is made fair, the assertion 
graph holds in the fair semantics. 

1.4. GSTE model checking. In the same papers [17} I18j. model checking algorithms for 
normal, strong and fair GSTE are described. It is proven that the model checking algorithms 
are sound with respect to their corresponding semantics. However, the algorithms are not 
complete. The reason is that the V-semantics do not precisely capture the information loss 
due to the three- valued abstraction in GSTE. 



set is 0/- 

o 



out is a/- 
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(1.3) 
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For example, consider the following circuit 

out 



p " 

R 

\ 

P' 

and the following assertion graph 

P'isl/- . . 1 

/out IS 1 . v 

init v *~ w 

p' is 0/- 

The assertion graph represents the following STE-assertions: 

p' is 1 N(out is 1) 

p' is ==> N(out is 1) 

Both assertions hold. So, the semantics described above predict that the circuit satisfies 
the assertion graph. 

However, it turns out that the GSTE-algorithm cannot prove the assertion graph! The 
reason is that GSTE algorithms only compute one three-valued assertion for each edge in 
the assertion graph. This is in general not enough to take account for all STE assertions 
corresponding to all paths through the assertion graph, so a certain information loss hap- 
pens. In this particular case, the state calculated on the edge from v to w gives value X 
to node out. This can be explained as follows. The antecedent at the top edge between 
vertices init and v requires node p' to have value 1. The antecedent at the bottom edge 
requires node p' to have value 0. Node p' is the input to a register with node p as output. 
So, when the edge from v to w is reached via the top edge between init and v node p will 
receive value 1. When the edge from v to w is reached via the bottom edge between init 
and v, node p will receive value 0. As the value of node p should comply with both paths, 
the algorithm chooses value X for node p, and thus node out receives value X as well. 

1.5. The problem. The previous example illustrates that the V-semantics for GSTE dis- 
cussed previously cannot be used to explain how the three- valued abstraction causes certain 
properties to be not provable with GSTE. This can lead to situations where seemingly trivial 
changes to either the circuit or the assertion can suddenly make an assertion not provable 
anymore. 

This is an undesirable situation. We believe that a faithful semantics for GSTE is 
needed. 

A faithful semantics deems a property to be true if-and-only-if the property can be 
proven by a GSTE-model checker. Without a faithful semantics, a GSTE verification engi- 
neer is left to the particular internals of the model checker at hand to understand what can 
and cannot be proved. Also, a faithful semantics can be used to understand differences be- 
tween different GSTE model checkers. For example, the GSTE semantics of satGSTE [14] 
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is expressed using successive unrollings of the assertion graph as STE assertions. However, 
the abstraction obtained in that way does not correspond to the abstraction in standard 
GSTE model checkers. This means that there are assertion graphs for which satGSTE and 
standard GSTE model checkers give different answers. 

To further clarify the importance of a faithful GSTE semantics, we would like to point 
out that there is a difference between the use of abstraction in (G)STE, and the application 
of abstraction as a performance enhancer in model checkers for standard temporal logics 
like LTL and CTL. In the latter case, a model checker might simply give up when it happens 
to choose an abstraction that is too weak to prove a property, but it is still clear to the 
verification engineer what the specification means. In (G)STE, what abstraction to use in 
the model checker is an artefact of the specification, not an artefact of the model checker. So, 
in (G)STE it is vital to understand what a specification means, separate from a particular 
model checker, including the abstraction that is specified. 

In previous work [SJ, we have described a faithful semantics for STE. However, up till 
now, no faithful semantics for GSTE has been described. 

1.6. Our contribution. In this paper, we present a semantics for GSTE that is faithful 
to the proving power of the GSTE model checking algorithm. Compared to the semantics 
described in [13 [18], our semantics corresponds to the strong semantics of GSTE. That is, in 
this paper, we do not consider backwards properties or fairness constraints, which remains 
future work. One difference with the strong semantics in |17[ [TB] is that our semantics 
captures the three-valued abstraction of GSTE precisely, and thus can be used to explain 
the information loss caused by the three-valued abstraction in GSTE. 

Another difference is that our semantics for GSTE follows the same structure as the 
semantics for STE [9| 112} [6]. For instance, where STE deals with sequences to represent 
abstract circuit behaviour, our GSTE semantics uses sequence graphs. Here, a sequence 
graph is a mapping from edges in an assertion graph to abstract circuit states. We show 
that our GSTE semantics is a generalisation of the STE semantics. That is, given a linear 
assertion graph, the STE-semantics and GSTE-semantics are equivalent. Finally, we state 
a number of additional properties relating the two semantics. 

We believe that our faithful semantics for STE is an important contribution to the 
research on GSTE for at least two reasons. 

First of all, a faithful semantics makes GSTE more accessible to novice users: a faithful 
semantics enables users to understand the abstraction used in GSTE, without having to 
understand the details of the model checking algorithm. Additionally, in this paper, we aim 
at increasing the understanding for GSTE users of subtle cases of information-loss due to 
abstraction by providing enlightening examples. 

Furthermore, a faithful semantics for GSTE can be used as basis for research on new 
GSTE model checking algorithms and other GSTE tools. To illustrate this, in previous 
work [8], we described a new SAT-based model checking algorithm for STE and proven 
that it is sound and complete with respect to our faithful semantics for STE presented 
in [9]. Without a faithful semantics for STE, we would have been forced to prove the 
correctness of our algorithm by relating it to other model checking algorithms for STE. 
This is clearly a more involved and less elegant approach. In fact, we believe that without 
constructing a faithful semantics for STE first, we would not have obtained the level of 
understanding of STE needed to develop the new SAT-based model checking algorithm. 
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In the same way, we expect that the faithful semantics for GSTE presented in this 
paper will open the door for new research on GSTE model checking algorithms and other 
GSTE tools. 

1.7. Other related work. The following papers are based on the V-semantics for GSTE. 

GSTE as partitioned model checking. In [IT], the relation between GSTE and classic sym- 
bolic model checking is studied. It is explained how GSTE can be seen as a partitioned form 
of classic symbolic model checking. However, the abstraction of GSTE is not taken into 
account. Therefore, this paper, focussing on the abstraction in GSTE, is complementary to 

EH- 

Using SAT for debugging of GSTE assertion graphs. In [T5], the tool satGSTE is presented. 
The tool considers a finite subset of all finite paths in an assertion graphs, for instance, all 
paths up to a certain length. For each path in this subset, the tool model checks the 
corresponding STE assertion. The authors explain how the tool can be used to debug and 
refine GSTE assertion graphs. However, their tool does not follow the same semantics as 
standard GSTE model checking algorithms. Thus, certain counter examples that would 
occur in a standard GSTE model checker due to the use of abstraction cannot be found 
with their algorithm. 

Monitor circuits for GSTE assertion graphs. In (conventional, non-symbolic) simulation, 
a model of a circuit is fed with a large number of inputs. For every input it is checked 
whether the output is as expected. Typically, a monitor circuit is used to make this check. 
The monitor circuit observes the system under verification without interfering. During each 
step of the simulation, it indicates whether the system has obeyed the formal specification 
thus far. 

In [H [7] methods for automatic construction of monitor circuits for GSTE assertion 
graphs are described. The method in [4] requires the use of a symbolic simulator if the 
assertion graph contains symbolic constants. In [7J it is explained how, for the class of 
so-called simulation friendly assertion graphs, the method of [4] can be extended to deal 
with symbolic constants even in conventional non-symbolic simulation. 

The papers explain how monitor circuits can be used to make a bridge between GSTE 
model checking and conventional simulation. For instance, monitor circuits can be used to 
quickly debug and refine GSTE specifications before trying to use more labour intensive 
GSTE model checking. 

Reasoning about GSTE assertion graphs. Using the construction of monitor circuits for 
GSTE assertion graphs, [5] describes two algorithms that can be used in compositional 
verification using GSTE. The first algorithm decides whether one assertion graph implies 
another. The second algorithm can be used to model check an assertion graph under the 
assumption that another assertion graph is true. 
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1.7.1. Relation to this paper. Each of the papers above is based on the V-semantics for 
GSTE. As explained above, the V-semantics are not faithful to the proving power of the 
GSTE model checking algorithms. So, it can occur that a tool described in the papers deems 
a GSTE assertion to be true, while the GSTE model checking algorithm cannot prove it. 

For instance, the monitor circuits described above cannot be used to debug and refine 
assertions graphs that are true in the V-semantics but yield a spurious counter-example 
when trying to prove them with a GSTE model checker. The satGSTE tool is limited in 
the same way. We elaborate further on this in the future work section of this paper. 



1.8. Structure of this paper. In the next section, we revisit the semantics of STE asser- 
tions. Then, in Section 3, we present our semantics of GSTE assertion graphs. In Section 4, 
we compare the STE semantics with the GSTE semantics by giving a number of properties 
describing their relation. In Section 5, we describe the GSTE model checking algorithm 
and show that it is sound and complete with respect to our semantics. Finally, in Section 
6, we conclude and give suggestions for future work. 



2. STE Preliminaries 

A semantics for STE was first described by Seger and Bryant [12]. Later, a simplified 
and easier to understand semantics was given by Melham and Jones [6]. Both of these 
semantics are expressed in terms of a next state function, expressing the relationship between 
two consecutive states in the circuit. Unfortunately, neither of these semantics matches the 
proving power of currently available STE model checkers. The problem is that they cannot 
deal with combinational properties (properties ranging over one single point in time). All 
such properties are deemed to be false by the semantics. Therefore standard next state 
semantics does not seem to be a good starting point for finding a faithful semantics for 
GSTE. 

In previous work [9], we have described an alternative semantics for STE that actually 
is faithful to the proving power of STE model checkers. The semantics is called the closure 
semantics. Informally, the closure semantics only differs from the traditional STE semantics 
for combinational properties. 

A main ingredient of the closure semantics for STE is the concept of a closure function. 
The idea is that a closure function takes as input a state of the circuit, and calculates 
all information about the circuit state at the same point in time that can be derived by 
propagating the information in the input state in a forwards fashion. In the next section, 
we give an alternative semantics for GSTE also based on closure functions. 

In this section we briefly describe the closure semantics for STE. For more examples 
and a discussion on the differences with the semantics given in [121 [6] , we refer the reader 
to [9]. 

Readers familiar with [9] can skip most of this section; compared to [9] we slightly 
changed notation in the definition of the closure function on sequences, and we introduced an 
extra variant of a closure semantics called the simple semantics. Furthermore, we adapted 
the terminology to GSTE: we call the variables in STE-assertions symbolic constants to 
indicate that they keep a constant value over time. Finally, we use finite sequences to 
represent circuit behaviour, as opposed to the standard use of infinite sequences. Notice 
that this is a very superficial change on the notational level; it does not change the semantics 
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Figure 2: The STE lattice 
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Figure 3: Four-valued extensions of the logical operators, least upper bound and greatest 
lower bound operators. 

itself. The reason for making the change is that it enables us to considerably simplify the 
proof of Proposition 14.11 on page [24l 

2.1. Values and Circuits States. Values In STE, we can abstract away from specific 
Boolean values of a node, by using the value X, which stands for unknown. The value T 
stands for over constrained. A node takes on the value T when is required to have both 
value and value 1. 

On this set an information- ordering < is introduced, see Figure [2j The unknown value 
X contains the least information, so X < and X < 1, while and 1 are incomparable. The 
over-constrained value contains the most information, so < T and 1 < T. If v < w it is 
said that v is weaker than w. 

The set V together with the ordering < forms a lattice. The least upper bound operator 
is written U, the greatest lower bound operator is written see Figure El 

The logical operators for conjunction, written &, disjunction, written +, and negation, 
written -i, are extended to the four- valued domain as in Figure [3j 

States A circuit state, written s : State, is a function from the set of nodes of a circuit to 
the values {0,1,X,TJ@. 

2.2. Closure functions. In our semantics for STE, closure functions are used as circuit 
models. The idea is that a closure function, written F : State — > State takes as input a 
state of the circuit, and calculates all information about the circuit state at the same point 

Such an STE circuit state can be thought of as representing a set of regular states, commonly used in 
set-based abstractions, where X represents the set {0, 1} and T represents the empty set. This view induces 
a natural set-theoretic lattice, with set inclusion as its ordering. It is perhaps confusing that the standard 
STE lattice ordering (also used here) goes exactly the other way around; i.e. the STE U corresponds to n 
and n corresponds to U. 
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in time that can be derived by propagating the information in the input state in a forwards 
fashion. 

Example 2.1. The closure function for a circuit consisting of a single AND-gate with 
inputs p and q, and output r is given by the table below. Here, s is a state and n is a node. 



n 


F{s){n) 


P 


«(p) 


q 


-(q) 


r 


( S (p)&5(q))Us(r) 



The least upper bound operator in the expression for F{s){r) combines the value of r in 
the given state s, and the value for r that can be derived from the values of p and q, being 
a(p)&s(q). 

A state s : {p, q,r} — > V can be written as a vector s(p), s(q), s(r). For example, the 
state that assigns the value 1 to nodes p and q and the value X to node r is written as 11X. 
Applying the closure function to the state 11X yields 111. The reason is that when both 
inputs to the AND-gate have value 1, then by forwards propagation of information, also the 
output has value 1. Applying the closure function to state 1XX yields 1XX. The reason is 
that the output of the AND-gate is unknown when one input has value 1 and the other value 
X. The forwards nature of simulation becomes clear when the closure function is applied 
to state XXI, resulting in XXI. Although the inputs to the AND-gate must have value 1 
when the output of the gate has value 1, this cannot be derived by forwards propagation. 

A final example shows how the over-constrained value T can arise. Applying the closure 
function to state 0X1 yields OXT. The reason is that the input state gives node r value 1 
and node p value 0. From p having value it can be derived by forwards propagation that 
r has value 0, therefore r receives the over-constrained value T. □ 

A closure function is a function F : State — > State satisfying the following three 
conditions: 

• F is monotonic, that is, for all states si,S2- si < S2 implies F(si) < F(s2)- This means 
that a more specified input state cannot lead to a less specified result. The reason is that 
given a more specified input state, more information about the state of the circuit can be 
derived. 

• F is idempotent, that is, for every state s: F(F(s)) = F(s). This means that repeated 
application of the closure function has the same result as applying the function once. The 
reason is that the closure function should derive all information about the circuit state 
in one go. 

• F is extensive, that is, for every state s: s < F(s). This means that the application of 
a closure function to a circuit state should yield a state at least as specified as the input 
state. The reason is that the closure function is required not to lose any information. 

Netlists Here, a netlist is an acyclic list of definitions describing the relations between 
the values of the nodes. Inverters are not modelled explicitly in our netlists, instead they 
occur implicitly for each mention of the negation operator -i on the inputs of the gates. 
Registers are not mentioned explicitly in the netlist either. Instead, for a register with 
output node n in the circuit, the input of the register is node n' which is mentioned in the 
netlist. For simplicity, we only allow AND-gates and OR-gates in netlists. It is, however, 
straightforward to extend this notion of netlists to include more operations. 
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Induced Closure Function Given the netlist of a circuit c, the induced closure function 
for the circuit, written F c , can easily be constructed by interpreting each definition in the 
netlist clS 3j four- valued gate (see Figure [3]) . Each 

Given a state s, a circuit c, and a circuit node n, we calculate F c (s)(n) as follows: 

• If n is a circuit input or the output of a register, then we define F c (s)(n) = s(n). 

• If n is the output of an AND-gate with input nodes p and q, then we define 

F c (s)(n) = (F c (s)(p) & F c (s)(q)) U s(n). 

• If n is the output of an OR- gate with input nodes p and q, then we define 

F c (s)(n) = (F c (s)(p) + F c (s)(q)) U s(n). 

• If n is the output of an inverter with input node p, then we define 

F c (s)(n) = ^F c (s)(p)Us(n). 

This definition is well-defined because netlists are acyclic by definition. 

Proposition 2.2. The induced closure function for a circuit is by construction monotonic, 
idempotent and extensive. 

Proof. The closure function F c is a composition of the monotonic functions of four-valued 
negation, four-valued conjunction and least upper bound, therefore it is monotonic itself. 

As netlists are acyclic by definition, we can prove properties by induction over the def- 
inition of a node. We prove idempotency by proving F c (F c (s))(n) = F c (s)(n) by induction 
on the definition of n. Assume n is in the set of input- and state-holding nodes IDS, then 
F c (F c (s))(n) = F c (s)(n) by definition. If n is defined by n = p and q, then: 

F c (F c (s))(n) 

= (F c (F c (s))(p) & F c (F c (s))(q)) U F c (a)(n) (definition) 

= (F c (s)(p) & F c (s)(q)) U F c (s)(n) (ind. hyp.) 

= (F c (s){p) & F c (s){q)) U {F c {s)(p) k F c {s)(q)) U s(n) (definition) 

= (F c (s)(p) & F c (s)(q)) U s(n) (property U) 

= F c (s)(n) (definition) 

A similar argument holds when n is defined by a different gate definition. 

The extensivity of F c follows directly from its definition: If n is an input or state holding 
node then F c (s)(n) = s(n), otherwise F(c)(n) is defined as the least upper bound of s(n) 
and another expression, so s(n) < F c (s)(n). □ 

2.3. A closure function for sequences. Sequences A sequence of depth d, written 
a : {0, 1, . . . ,d} — > State, is a function from a point in time to a circuit state, describing 
the behaviour of a circuit over time. The set of all sequences is written Seq. A three-valued 
sequence is a sequence that does not assign the value T to any node at any time. 

The order < and the operators U and n are extended to sequences in a point-wise 
fashion. That is, the order < on sequences is defined by a\ < o<i iff for all n, ci(n) < o~2(n)- 
Furthermore, (<ti U <T2)(n) = {o-\{n) U o"2(n)), and (<7i n o"2)(n) = n 02(71))- 

Closure for sequences In STE, a circuit is simulated over multiple time steps. During 
simulation, information is propagated forwards through the circuit and through time, from 
each time step t to time step t + l. Note that the initial values of registers are ignored. 

To model this forwards propagation of information through time, a closure function for 
sequences, notation F^ : Seq — > Seq, is used. Given a sequence, the closure function for 
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sequences calculates all information that can be derived from that sequence by forwards 
propagation. The closure function for sequences preserves the depth of the given sequence. 

Recall that for every register with output n, the input to the register is node n'. There- 
fore, the value of node n' at time t is propagated to node n at time t + 1 in the forwards 
closure for sequences. 

Given a circuit state s, the function next calculates the information that is propagated 
by the registers, and is defined by: 



nextfsHn) — I s ^ n '^ n G ^ 

\X, otherwise 



The closure function for sequences is defined in terms of a closure function F. Given a 
closure function F for a circuit with a set of outputs of registers S, the closure function for 
sequences, written F~* : Seq — > Seq, is inductively defined by: 

F-(a)(0) =F(a(0)) 

F^(a)(t + 1) = F( a(t + 1) U next(F^(a)(t)) ) (0 < t < d - 1) 

Proposition 2.3. The function F^ inherits the properties of being monotonic, idempotent 
and extensive from F. 

Proof. The closure function F^ is a composition of the monotonic functions, F and least 
upper bound, therefore it is monotonic itself. 

We prove the idempotency of F^ by proving F^(F^(a))(t) = F^(a)(t) by induction 
on t. 

Suppose t = 0, then 

f~(f~(a))(0) 
= F(F^(a)(0)) (definition of F~*) 
= F(F(a(0)) (definition of F )) 
= F(a(0)) (idempotency of F) 

= F^ (a)(0) (definition of F~)) 

The induction hypothesis is: F~*(F^(a))(t) = F^(a)(t) for a fixed t. Suppose that the 
induction hypothesis holds, then: 

f~(*~(a))(t + l) 
= F(F^(a)(t + 1) U next(F^(F^(cr))(t)) ) (definition of F~>) 
= F(F^(a)(t + 1) U next(F^(cr)(t)) ) (ind. hyp.) 

Now we reduce the term F~*(a)(t + 1) U next(F _> (<r)(t)) further. 

F^(cr)(t + 1) U next(F^(cj)(t)) 
= F(a(t + l) U next(F^(<r)(t))) U next(F^ (a)(t)) (def. F~>) 
= F( a(t + 1) U next(F^(cr)(i))) (F extensive, prop. U) 

Thus: 

*~(*~(<7))(* + l) 

= F(F^(a)(t + 1) U next(F- + (a)(t)) ) (see above) 
= F(F( a(t + 1) U next(F- + (a)(t)))) (see above) 
= F(cr(t + l) U next(F-*(a)(t))) F idempotent 
= F^(a)(t + l) (def. F~>) 

Finally, F^ being extensive follows directly from the definition of F~* and the properties 
ofU. □ 
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2.4. Semantics for STE. Before giving our semantics for STE we first introduce the 
concept of trajectories: 

Trajectories A trajectory is denned as a sequence in which no more information can be 
derived by forwards propagation. That is, a sequence r is a trajectory of a closure function 
when it is a fixed-point of the closure function for sequences. So, a sequence r is a trajectory 
of F iff r = F-*(t). 

STE-assertions have the form A C . Here A and C are formulas in Trajectory 
Evaluation Logic (TEL). The only variables in the logic are time-independent Boolean 
variables taken from the set V of symbolic constants. The language is given by the following 
grammar: 

/ ::= n is | n is 1 | /i and f 2 | P -► / | N/ 
where n is a circuit node and P is a Boolean propositional formula over the set of symbolic 
constants W. The operator is is used to make a statement about the Boolean value of a 
particular node in the circuit, and is conjunction, — > is used to make conditional statements, 
and N is the next time operator. Note that symbolic constants only occur in the Boolean 
propositional expressions on the left-hand side of an implication. The notation n is P, 
where P is a Boolean symbolic expression over the set of symbolic constants V, is used to 
abbreviate the formula: {—>P — > n is 0) and (P — > n is 1). 

The depth of a TEL-formula / is the maximal degree of nestings of N in /. The depth 
of an STE-assertion A C is the maximum of the depth of A and the depth of C. 

The meaning of a TEL formula is defined by a satisfaction relation that relates valua- 
tions of the symbolic constants and sequences to TEL formulas. Here, the following nota- 
tion is used: The time shifting operator a 1 is defined by cr 1 (t)(n) = a(t + l)(n). Standard 
propositional satisfiability is denoted by |=p TO p- Satisfaction of a trajectory evaluation logic 
formula / of depth d, by a sequence a of at least depth d, and a valuation (ft : W — > {0, 1} 
(written cf), a \= /) is defined by 

(j),a^n is b = <r(0)(n) = b , b £ {0, 1} 

0, o- |= /i and / 2 = 4>, a |= /i and ^(J^/ 2 
0, o- |= P -> / = ^p ro p P implies <f>,a\= f 

Semantics for STE We introduce three semantics for STE. They differ in the way that is 
dealt with the over-constrained value T. There are several ways of dealing with this value 
in a semantics for STE. 

First of all, we can treat T as a global contradiction. That is, a sequence that gives 
value T to any node, satisfies any antecedent and consequent. So, in order to check whether 
an STE-assertion holds we need only consider three-valued sequences. 

Definition 2.4. A circuit with closure function F satisfies a trajectory assertion A C 
of depth d, written F \= A ==? C, iff for every valuation <fi : W — > {0, 1} of the symbolic 
constants, and for every three-valued trajectory r of F of depth d, it holds that: 

Secondly, we can treat T as a local contradiction. For example, the requirement that a 
node should have value 1 is fulfilled if the node has value T. But other, unrelated require- 
ments are unaffected. We introduce the simple semantics for STE using this approach. 
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Definition 2.5. A circuit with closure function F simply satisfies a trajectory assertion 



The simple semantics turns out to be useful when we compare the proving power of 
STE and GSTE in a precise way in Sect. 01 In the simple semantics, it is for example 
meaningful to talk about what happens in a sequence before certain nodes get a value T 
forced by an antecedent. 

Finally, we can treat T as an error. That is, if a node is required to have value T by the 
antecedent of an STE-assertion, the STE-assertion is not true. This is the default approach 
taken in Intel's in-house verification toolkit Forte [3]: it raises an antecedent failure if a 
node is required to have value T by the antecedent. We call this semantics, the cautious 
semantics for STE. 

Definition 2.6. A circuit with closure function F cautiously satisfies a trajectory assertion 
A => C of depth d, written F |=Cautious A =>• C, if both F \= A =>• C and for every 
valuation <p of the symbolic constants there exists a three-valued trajectory r of depth d 
such that (f>, t \= A. 

Example 2.7. For an AND-gate with inputs ini and i n 2 , and output out, the assertion 



is true in the normal semantics but not in the cautious semantics. 

For valuations that give at least one of the symbolic constants a and b the value 0, 
there are no three- valued trajectories that meet the antecedent: there are no three- valued 
trajectories in which at least one of the inputs of the AND-gate (nodes ini and iri2) has 
value 0, while the output (node out) has value 1. Only for the valuation that gives both 
the symbolic constants value 1, there exists a three-valued trajectory that satisfies the 
antecedent. As this trajectory satisfies the consequent as well, the assertion is true in the 
normal semantics. □ 



In this section, we present an alternative semantics for GSTE. As stated in the intro- 
duction, there are two reasons for doing so. First of all, the existing semantics for GSTE [17] 
are not faithful to the proving power of GSTE algorithms. Therefore, they cannot be used 
to understand or predict whether certain properties can be proven by GSTE model checkers. 
Secondly, a faithful semantics for GSTE can be used as basis for research on new GSTE 
model checking algorithms and other GSTE tools. 

The semantics presented in this section is built up in the same way as the semantics 
for STE in the previous section. First, we introduce the concept of sequence graphs. Like 
sequences in STE, sequence graphs represent circuit behaviour over time. 

Then, we define a closure function for sequence graphs. Comparable to the closure 
function for sequences in STE, the closure function for sequence graphs, given a sequence 
graph, calculates all information that can be derived by forwards propagation of information. 

After that, we introduce the concept of trajectory graphs. A trajectory graph is a 
sequence graph in which no more information can be derived by forwards propagation of 




(out is 1) and (ini is a) and (ir^isfr) 



(ini is 1) and (in2 is 1) 



3. A Faithful Semantics for GSTE 
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Figure 4: A simple circuit 

information. Thus, a sequence graph is a trajectory graph precisely when it is a fixpoint of 
the closure function for sequence graphs. 

Then, we formally define the concept of assertion graphs. Examples of assertion graphs 
are given in the introduction of this paper. An assertion graph describes a property of the 
behaviour of the circuit, possibly ranging over unbounded time. 

Finally, by combining all these concepts, we introduce a faithful semantics for GSTE. 

3.1. Sequence Graphs. We introduce the concept of sequence graphs to represent circuit 
behaviours over time. They are comparable to the concept of sequences in STE. Sequence 
graphs, however, are more expressive: each sequence graph represents a (possibly infinite) 
number of sequences. 

Example 3.1. Consider the circuit given in Figure 01 The following picture represents a 
sequence graph of the circuit. 

nx 

init^Z^'" ^^^)ooo (3.1) 

oxx 

The sequence graph has vertices init, v and w, two edges from init to v, an edge from v 
to w, and an edge from w to itself. In the picture, states are represented by vectors of 
truth-values, in the order in, out', out. For instance, in the state represented by 11X, node 
in has value 1, node out' has value 1, and node out has value X. 

Each path in the graph starting in initial vertex init, represents a possible behaviour of 
the circuit over time. For instance, consider the path starting in init, going through the top 
edge between init and v, and then cycles twice through the looping edge at vertex w. This 
path represents the sequence 

[11X, XXX, 000, 000] □ 

The reader should note the difference between sequence graphs and assertion graphs (see 
page [3] for an example of an assertion graph). Sequence graphs represent circuit behaviour 
(corresponding to sequences in STE), whereas assertion graphs describe desired properties 
of circuit behaviour (corresponding to assertions in STE). 

Definition 3.2. A sequence graph is a triple (V, E, £), where: 
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• V is a finite set of vertices containing the initial vertex in it. 

• E is a finite set of directed edges between vertices. Each edge e has a start vertex start (e) 
and an end vertex end(e). Multiple edges between two vertices are allowed. 

• £ : E — > State is a function from edges to circuit states. 

We say that sequence graphs (Vi, E\, £1) and (V2, E2, £2) are of the same shape iff V\ = V2 
and Ei = £7 2 . The set of all sequence graphs is denoted SeqGraph. 

Usually, a sequence graph is identified by the function £ only. 

The order < and the operators U and n on the domain {0, 1,X, T} are extended in a 
point-wise fashion to pairs of sequence graphs of the same shape. That is, the order < on 
sequence graphs is defined by £1 < £2 iff for all edges e and nodes n, £i(e)(n) < £ 2 (e)(n). 
Furthermore, (£1 U £ 2 )(e)(n) = (oi(e)(n) U er 2 (e)(n)) and (£1 n £ 2 )(«) = (£i(e)(n) n 
£ 2 (e)(n)). 

An edge is initial if it starts in the initial vertex in it. We define the set of incoming 
edges of an edge e, written in(e) by: 

in(e) = { e' € E | start(e) = end(e')} 

A path of depth d is a list of edges p = (en, e%, . . . , e^) such that for each i, start (ej+i) = 
end(ej). An initial path is a path whose first edge is initial. 

A finite initial path p of depth d in a sequence graph £ represents the sequence seq(£, p) 
of depth <i defined by 

seq(E,p)(t) =£(p(i)). 
A sequence graph £ represents the set of sequences seq(£) defined by 

seq(£) = {seq(£,p) | p is a finite initial path in £} 

We will only consider sequence graphs in which each edge and each vertex is reachable from 
the initial vertex init. That is, we require that for each edge there exists an initial path 
containing the edge, and for each vertex there exists an initial path containing the vertex. 
The reason is that states at unreachable edges cannot appear in the sequences represented 
by the sequence graph. 

Example 3.3. The sequence graph (|3.ip represents the following infinite set of sequences: 

[11X] 

[11X,XXX] 
[11X,XXX,000] 
[11X, XXX, 000, 000] 

[0XX] 

[0XX, XXX] 
[0XX, XXX, 000] 
[0XX, XXX, 000, 000] 



The sequence graph 

XXX 



. . Ill v ' 000 
mit >■ v s~ w 
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represents the following infinite set of sequences: 

[111] 

[111,000] 
[111, XXX] 
[111, XXX, 000] 
[111, XXX, XXX] 
[111, XXX, XXX, 000] 

□ 

3.2. Trajectory Graphs and Closure Functions. We introduce the concept of trajec- 
tory graphs to represent sequence graphs in which no more information can be derived by 
forwards propagation of information. Trajectory graphs are comparable to the concept of 
trajectories in STE. 

In order to define trajectory graphs, we define a closure function for sequence graphs, 
written F° : SeqGraph — > SeqGraph. The idea is that such a closure function, given 
a sequence graph, derives all information that can be derived by forwards propagation. 
Then, a trajectory graph is defined as a fixpoint of this closure function. 

Before doing so, let us first get some more intuition on desired properties for a closure 
function for sequence graphs. Recall that a sequence graph represents a (possibly infinite) 
collection of sequences. Each initial path p in the graph represents a sequence seq(S, p) as 
defined before. 

Furthermore, recall, from the introduction, when a circuit satisfies a GSTE assertion 
graph, the circuit should also satisfy all STE-assertion corresponding to finite initial paths 
in the assertion graphs. 

Therefore, given a sequence graph and an initial path p in the graph, we expect that the 
closure function on sequence graphs F° for the edges in p derives at most the information 
as the closure function for sequences does for the sequence seq(E, p). The reason 
for requiring this is that if the closure function on sequence graphs were to derive more 
information for a particular sequence in the sequence graph than the closure function on 
sequences, then we could construct a GSTE assertion graph that is satisfied by the circuit, 
but that contains a path corresponding to an untrue STE-assertion. 

So, we require the following property: 

Property 3.4. A closure function F° for sequence graphs derives no more information 
than a closure function on sequences F~*, if for all sequence graphs £ and initial paths p, 

seq(F°(£),p) < F^(seq(S, p)) 

The closure function for sequence graphs is allowed to derive less information for a 
particular path than the closure function for sequences does. The reason is that an edge 
might be reached via different initial paths. If, for these paths, the closure function for 
sequences derives conflicting values for a circuit node at that edge, the above property 
forces the circuit node to take on value X. We elaborate on this in Example 13.61 on pagePT9l 

Defining a closure function for sequence graphs is a greater challenge than defining a 
closure function for sequences. There are two reasons for this. 

First of all, in STE, for a state at time t + 1, there is precisely one "previous" state, 
namely the state at time t. So, it is clear how the information from previous points in time 
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should be propagated. In GSTE, however, a state at an edge can have multiple predecessors. 
So, we have to decide how to combine information from incoming edges. 

Secondly, in STE-sequences, the state at each time-point depends only on the previous 
states, and, thus, never on itself. In GSTE sequence graphs, however, cycles may be present, 
therefore a state may, via a cycle, depend on itself. 

In the following, we gradually construct a closure function for sequence graphs by 
considering closure functions for increasingly more complex sets of sequence graphs. First, 
we only consider linear sequence graphs, then we look at acyclic sequence graphs, and 
finally we consider general sequence graphs. 



Linear sequence graphs. Let us take one step at the time. So, first, assume we have a 
sequence graph where each vertex has at most one successor and at most one predecessor, 
and no cycles are present. Such a sequence graph has the following form: 

init v\ ^ v 2 s >■ v d 

For edges that have exactly one incoming edge, we define the function pre {pre(e)} = in(e). 
(Recall that in(e) is the set of all incoming edges of e.) 

For the above sequence graph, a closure function F° me can be defined in the same way 
as in STE. For the initial edge, no information is propagated from a previous time-point, 
so only closure of the initial state is needed. For each other time-point, information from 
the previous state should be propagated. 

This yields the closure function F° inc : 

F° (V\(A = S F ( S ( e ))' e is initial 

lincl n j \ F(S(e) U next( F° ne (E)(pre(e)) ), otherwise 

The function F? is well defined as the graphs we consider here are acyclic and edges have 
at most one predecessor. Note the similarity with the closure function for sequences on 
pagefT2l 

Note that, just like in STE, the initial values of registers are ignored. 
F° me calculates precisely the same information as F^ . That is, for each initial path p 
in a sequence graph £ of the above form, 

seq(F 1 ° ie (S),p)=F^(seq(S, / 9)). 



Acyclic sequence graphs. Now, let us consider a more general situation: an acyclic graph. 
Example 3.5. Consider the following sequence graph: 

nx 

. . ^ xxx 

init , ^ v 5- w 

ooo 

The edge starting at v has two incoming edges. For this edge, the state at the previous 
time-point can be any of the states at the predecessor edges, that is 11X and 000. The first 
state gives node out' value 1, so if this state had been the only predecessor state, we would 
have concluded that node out should have value 1 at the edge starting at v. However, the 
state at the second incoming edge gives node out' value 0, so according to this state, node 
out should have value 1 at the edge starting at v. Therefore, as the two incoming edges do 
not agree on the value of node out', nothing can be derived about the value of node out at 
the edge starting in v. So, no more information can be derived from this sequence graph. □ 
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So, only if all the states of the incoming edges agree on a Boolean value of an input to 
a register, should this value be propagated to the output of the register. Thus, to combine 
the values on the inputs of the register, the greatest lower bound should be used. This yields 
the closure function F° ocyde : 



{F(S(e)) ; e is initial 

F(E(e) U n next(F° dc (£)(*)) ), otherwise 
iein(e) y 

Example 3.6. Applied to the sequence graph in Example 13.51 the closure function yields 
the same sequence graph. In the graph, the top edge between in it and v gives value 1 to 
out', the bottom edge gives value to this node, so l~l 1 = X is propagated for the value 
of node out for the edge starting in v. 

In this example, the closure function for sequence graphs derives less information than 
the closure function for sequences for the paths in the assertions. The reason is that the 
greatest lower-bound operator is used to combine conflicting information from incoming 
edges. 

Applied to 

ixx 

. . ■ a. xxx 

mit . ^ v w 

ixx 

the closure function yields 

11X 

. . -A. Xll 

mit „ ^ v 9- w 

nx 

As both incoming edges give value 1 to node out' this value is propagated to node out. □ 



General sequence graphs. Now that we have dealt with sequence graphs where edges can 
have multiple predecessors, it is time to tackle the next challenge: cycles. The following 
example illustrates that when cycles are present, the equations for F° ocyclc no longer define 
a function, but, instead, may have more than one solution. 

Example 3.7. Consider the sequence graph: 

. . ixx *" \ ,„ n x 

i n it )xxx (3.2) 

Here, the result for the initial edge still can be calculated (yielding 11X), but the result for 
the self-loop at vertex v is problematic. The equations state: 

F° ocyclc (m(v,v)) =F(XXX U (next(HX) n next (F° ocycle (£)((<;, «))))) 

This can be simplified to: 

F n ° ocyclc (S)((t;, W )) =F(X11 n next(F° ocycle (X)((^)))), 

further simplified to: 

F° ocycle (£)((^)) = F(XU n XX(F° ocycle (£)((^))(out'))), 

and finally simplified to: 

F° ocy cic(£)((^)) =F(XX(1 n F° ocycle (S)(( W)U ))(out'))). 
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. . 11X 

i n it *- v 



This equation can be rewritten to: 

F° ocycle (mv,v)) = (As.F(XX(l n s((v,v))(out'))) F° ocyclc (E)(( V , v)) 

This equation has as solutions precisely the fixpoints of 

(As.F(XX(l n s(out'))) 

The two fixed-points are XXX or XI 1. 

The first fixed-point yields the following sequence graph: 

3 xxx (3.3) 

This contradicts our intuition: if at the first point in time node in has value 1, then we 
expect that, from the next time-point on, node out and out' have value 1 as well. So, only 
the second fixed-point gives the expected sequence graph: 

init-^-wQxn (3.4) 

□ 

So, in general, when cycles are introduced, the equations for -F° ocycle no longer define a 
function: the equations may have more than one solution. Let us study this set of solutions 
more closely. 

To do so, we define, for a given sequence graph E, the function F£ : SeqGraph — ► 
SeqGraph by: 

f F(E(e)), e is initial 

i? s( A )(e) = < F( E(e) U n next(A(t)) ), otherwise 

iein(e) 

Using this, the equations for F° ocycle can be rewritten to: 

^nocycle(^) = (-^nocyclo (^0) 

The solutions of this equation are the set of fixpoints of F£. For example, for E equal to 
sequence graph (|3.2|) the fixpoints are sequence graphs (|3.3|) and (|3.4j> . 
The following lemma states that each fixpoint satisfies Property 13.41 

Lemma 3.8. For each A that is a fixpoint of F^ and for each initial path p in the sequence 
graph E, it holds that: 

seq(A,p) <F^(seq(S, /3 )) 

Proof. The proof is by induction on the position in the sequence. The base-case (t = 0) 
follows directly from the definitions of seq and F^ . The induction hypothesis is: 

seq(A,p)(t) < (F- > (seq(E,p)))(t) 

If p{t + 1) is not initial, then 

seq(A,p)(t + l) =F(E(p(t + l)) U n next(A(i)) ) 

iein(p(t+l)) 



Now: 



n next(A(z)) 

iein(p(t+l)) 

< next(A(p(t))) [p{t) € m(p{t + 1)) 
= next(seq(A, p)(t))) (Definition seq) 

< next(F _> (seq(E,p))(t)) ((Induction hypothesis and monotonicity next) 
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Thus, 

seq(A,p)(t + l) < F(seq(£,p)(t + 1) U next(F^(seq(S, p))(t)) ) 
So, by the definition of F~* , 

seq(A, p)(t + 1) < F^(seq(£,p))(t + 1) 

The case for p(t + 1) is initial is similar but easier. □ 

The question now is: which fixpoint should the closure function for sequence graphs 
choose? As each fixpoint satisfies Property 13.41 it is sound to choose any of them. The 
following property states there exists a unique greatest fixpoint. 

Proposition 3.9. For each £, the function F£ has a unique greatest fixpoint. 

Proof. It is easy to see that F£ is monotonia The collection of sequence graphs with the 
same vertices and edges as £ and giving values to the same circuit nodes as E is finite and 
forms, together with the order < on sequence graphs, a complete lattice. So, by Tarski's 
fixpoint theorem [13], F£ has a greatest fixpoint. □ 

As each fixpoint satisfies Property [331 we can safely choose the greatest one, giving the 
most information. Thus, we define the closure function for sequence graphs as follows: 

Definition 3.10. Given a closure function F, the closure function for sequence graphs, 
written F° : SeqGraph — > SeqGraph is defined by: 

F°(E) = gfpA.^(A) 

Proposition 3.11. Given a closure function F, F° is a closure function as well. 

Proof. Suppose F is a closure function, we have to prove that F° is monotonic, extensive 
and idempotent. F° being extensive follows directly from the definition of F°. 

We now prove that F° is monotonic. Suppose Ei < £2, Ai = i ? °(Ei) and A2 = -F°(£ 2 ), 
then 

A 1 = F^(A 1 )<F^(A 1 ) 
Tarski's fixpoint theorem [13] states that 

gfpA.F| 2 (A) = U{A|A<F^(A)} 

Thus Ai < gfpA.F° 2 (A) = A 2 . 

Finally, we prove that F° is idempotent. Suppose i ? °(E) = A and F°(A) = A'. We 
need to prove that A = A'. By monotonicity of F° follows A < A'. We prove that A' < A 
by proving that A' is a fixpoint of F£ (then, because A is the greatest fix-point of F£, it 
follows that A' < A). The case for when e is initial is trivial. Suppose e is not initial. 

*S(A0(e) 

= F(E(e) U n next(A'(i))) (Definition F°) 

j£in(e) 

= F(E(e) U n next(A(i)) U n next(A'(i))) (Prop U, A < A') 

i£in(e) i£in(e) 

= F(F(E(e) U n next(A(i))) U n next (A' («'))) (F is closure function) 

i£in(e) iein(e) 

= F(A(e) U n next (A' (i))) (A is fixpoint of F£) 

iein(e) 

= A'(e) (A' is fixpoint of F%) 

□ 
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3.2.1. Trajectory Graphs. We define a trajectory graph of F as a sequence graph that is a 
fixpoint of F°. 

Definition 3.12. A sequence graph S is a trajectory graph of a closure function F, if 

F°(S) = £ 



3.3. Assertion Graphs. In GSTE, circuit properties are given by assertion graphs. An 
example of an assertion graph is: 

in is 1/- 

init )/outisi (3.5) 

In the assertion graph, each edge is labelled with a pair A/C, here A is called the antecedent 
and C is called the consequent. Just like in STE, the antecedent represents assumptions 
made, and the consequent represents requirements. 

Both A and C are, like in STE, formulas in trajectory evaluation logic (TEL). However, 
as each edge represents the state of a single time-point, no occurrences of the next-time 
operator N are allowed. We call the subset of TEL in which no next-time operators occur 
GTEL. 

The assertion graph above states that if at some time point, node in has value 1, then 
at each later time-point node out has value 1 as well. 

Definition 3.13. An assertion graph is a four-tuple G = (V,E, ant, cons). Here, V is a 
set of vertices containing a vertex init which is called the initial vertex, E is a set of edges 
between the vertices. Finally, ant, cons : E — > GTEL are functions from edges to formulas 
in GTEL. 

Recall that path is called initial iff it starts in the initial vertex init. A finite initial path 
p of depth al in an assertion graph G represents an STE assertion Ass(G, p) defined by 

kss{G,p) = ( and NW(,9(t))) => ( and N* cons(p(t))) 

0<i<d 0<i<d 

An assertion graph represents a (possibly infinite) collection of STE-assertions: for each 
finite initial path p in the graph, an STE-assertion Ass(G, p). The set of STE-assertions in 
assertions graph G, written Ass(G), is defined by: 

Ass(G) = {Ass(G, p) | p is a finite initial path in G} 

Example 3.14. Assertion graph (|3,5p above represents the following infinite set of STE- 
assertions: 

in is 1 => N(out is 1) 

in is 1 => N(out is 1) and NN(out is 1) 

in is 1 => N(out is 1) and NN(out is 1) and NNN(out is 1) 

□ 

The idea is that when a circuit satisfies a GSTE assertion graph, the circuit graph also 
satisfies all STE assertions in the assertion graph. The converse, however, does not hold, 
as we will see in the next section. 
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3.4. Satisfiability. Satisfaction of a GTEL-formula /, by a circuit state s : State and a 
valuation (f> : W — ► {0, 1} of the symbolic constants (written <j), s \= /) is defined by 

4>,s^nisb = <x(0)(n) = 6 , 6 € {0, 1} 

^N/i and h = 0, s h h and 0, « h h 

<t*,s\= P -> / =</> ^p ro p implies 0, s (= / 

Example 3.15. If s(in) = 1 and s(out) = 0, and 0(a) = 1 and (j){b) = 0, then 

(p, s \= (in is a) and (out is 6) and (in is -i(a A 6)) □ 

We say that a sequence graph (V, E, S) satisfies a function GTEL, / € 

{ant, cons} and a valuation </> : W — > {0, 1} of the symbolic constants, written (f>, £ (= /, if 
for all edges e: 

0,E(e) h/(e) 

Note that the definition of satisfaction above requires that the shape of the sequence graph 
be identical to the shape of the assertion graph from which the antecedent or consequent is 
taken. 

Example 3.16. If G = (V, E, ant, cons) is assertion graph (13. 5|) . Si is sequence graph (|3.2|) . 
and £2 is sequence graph (I3.4p . then for any 4>: 4>, Si (= emt, </>, S2 (= ant, 0, Si ^ cons, 
and 0, S2 |= cons. □ 

Just like in STE, in GSTE, there are several ways of dealing with the over-constrained 
value T. We can treat T just as any other value, leading to the simple semantics of GSTE. 
Or, we can treat an over-constrained value as an error, leading to the cautious semantics 
of GSTE. 

In GSTE, however, we cannot treat T as a contradiction in the same way as we did 
in STE. The reason is the following. Consider a semantics in which a sequence graph that 
assigns a T to a circuit node at an edge satisfies any antecedent and consequent. In such 
a semantics, GSTE assertion graphs containing false STE-assertions may still be true. For 
example, given a GSTE assertion graph containing a false STE assertion, we can simply 
add a fresh initial edge with an inconsistent antecedent, making the GSTE assertion true. 

If, instead, we require a T value at each path in the graph to deem a sequence graph 
contradictory, this problem does not occur. However, as the implementation of such a 
semantics in a GSTE model checker seems cumbersome, we will not elaborate on such a 
semantics further. 

In the definition of simple satisfaction for GSTE, the value T is treated just like any 
other value, and models a local conflict of demands made by the assertion. In this paper, 
we consider this the 'standard' semantics for GSTE. As explained in Sect. [H this turns out 
to correspond well with what most GSTE algorithms do in practice. 

Definition 3.17. We say that a closure function F simply satisfies an assertion graph 
G = (V, E , ant , cons) , written F ^simple G, if for all assignments of symbolic constants 
4> ■ W — * {0, 1}, trajectory graphs S, 

S |= ant => S |= cons. 

Example 3.18. If G = (V, E , ant , cons) is assertion graph (13. 5p . and F is the closure 
function for the circuit in Figure HI then F ^simple G. 

This can be explained as follows. It is easy to see that, for any (ft, sequence graph 
(|3.2|) is the weakest sequence graph that makes the antecedent of G true. Let us call this 
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sequence graph E. Trajectory graph (13, 4h is F°(T,). We claim that is the weakest 

trajectory graph satisfying ant. This can be proven easily. Suppose T is a trajectory graph 
satisfying ant, then E < T, so by monotonicity of F° and because T is a fix-point of F°, 
F°(E) < F°(T) = T. Thus, as the weakest trajectory graph satisfying ant also satisfies 
cons, all trajectory graphs that satisfy ant satisfy cons as well. So, F ^simple G. 

In Section [5l we explain that, in the general case, to check whether a circuit simply 
satisfies an assertion graph, we only have to, for each (j), consider the weakest trajectory 
graph that satisfies the antecedent ant. □ 

In the definition of cautious satisfaction for GSTE, the value T is treated as an error. 

Definition 3.19. We say that a circuit model F, cautiously satisfies an assertion graph 
G = (V, E, ant, cons), written F ^cautious G, if F simply satisfies G and for all assignments 
of symbolic constants <j) : W — > {0, 1}, there exists a trajectory graph E of F such that 
E |= ant. 

The following example illustrates the difference between the two definitions. 

Example 3.20. The circuit in Figure H] simply satisfies the following assertion graph. It 
does, however, not cautiously satisfy it. 

inisl/- ^-v. 

j n it *■ V J out is 0/out is 1 Q 



4. Comparing with STE 

In this section we compare STE with GSTE. The purpose is to make the relationship 
between STE and GSTE model checking clear. 

The following proposition states that if a closure function satisfies an assertion graph, 
it simply satisfies all STE-assertions in the assertion graph as well. 

Proposition 4.1. Given an assertion graph G = (V,E, ant, cons) for a circuit with closure 
function F: 

F ^ G => (for all assertions (A => C) G Ass(G) : F ^simple (-4 => C)) 



Proof. Suppose F (= G, p is a finite path of depth d in G, A =^> C = Ass(G,p), 4> a 
valuation of the symbolic constants, and r a trajectory of F of depth d such that </>,r (= A. 
We need to prove that 4>, r \= C. 

Let E be the sequence graph that has the same shape as assertion graph G and is 
further defined by: 

E(e) = n Ht) 

0<t<d,p(t)=e 

Note that E(e)(n) = T for edges not in the path p. We now prove that (j), E |= ant. As 
t \= A, and A = and N*an£(p(i))), for each t holds: 

0<t<d 

<f>,r(t) h ant{p{t)) 

Thus for all e € E: 

6, n rit) |= ant(e) 

teN,p(t)=e 
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Thus, (f), £ |= ant. As F° is extensive, 4>,F°(Y<) \= ant as well. As is a trajectory 

graph, and F \= G, it holds that F°(E) |= cons. By Property 13.41 

seq(F°(£),p) < i^(seq(£, p)) 

Thus: 

seq(F°(S),p) <F^(r) =r 
Now, as |= cons, for all e € E: 

(ft, E(e) |= cons(e) 

Thus: 

</>, n r(t) |= cons(p(t)) 

0<t<d,p(t)=e 

As C = and ISP cons (o(t))), it follows that <p,r \= C. □ 

0<i<d 

The converse 

(for all assertions (A => C) G Ass(G) : F pimple (A => C)) F \= G 

however, is not true. The reason is that GSTE combines conflicting information between 
incoming edges by using the greatest lower bound operator. This is illustrated by the 
following example. 

Example 4.2. Consider the following circuit: 



The induced closure function of this circuit satisfies the STE-assertions p' is 1 =^ N(out is 1) 
and p' is => N(out is 1). Consider the following sequence graph. In the picture, states 
are represented by vectors of truth-values, in the order p', p, out. 



1XX 



init 



xxx 



oxx 



The sequence graph is a trajectory graph of the closure function. Thus, the closure function 
does not satisfy the below GSTE assertion graph. 



p' ^ V- 



i nit 



■/out is 1 



W 



p' is 0/- 



□ 



The following example shows that if a GSTE assertion graph is cautiously satisfied 
(that is, no node has to assume value T to satisfy the antecedent), there may still be an 
STE-assertion represented by the assertion graph that is not cautiously satisfied. 
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Example 4.3. Consider a circuit consisting of a single register with input reg' and output 
reg, and the following assertion graph. 

re g' is V- . -, , . -, 

reg is 1/reg is 1 



i n it v >■ w 

reg' is 0/- 

The induced closure function of the circuit satisfies the assertion graph. The reason is that 
the two incoming edges at vertex v disagree on the value of node reg', therefore the value 
X is propagated to the outgoing edge of vertex v. The outgoing edge of vertex v requires 
reg to have value 1, therefore the consequent at that edge is satisfied. The antecedent does 
not force any node take on value T, so the assertion graph is cautiously satisfied. 
But, the STE-assertion corresponding to the bottom initial path 

(reg' is 0) and N(reg is 1) =^> N(reg is 1) 

is not cautiously satisfied as every trajectory that satisfies the antecedent gives node reg 
value T at time 1. □ 



5. GSTE MODEL CHECKING 

In [T5l [TBI [T7] model checking algorithms for GSTE are described. In this section, 
we show the correspondence between the GSTE semantics presented in this paper and 
a standard model checking algorithm. We do this by first relating our semantics to a 
GSTE algorithm designed by ourselves, which uses a non-standard fixpoint computation. 
We proceed by showing that our algorithm computes the same result as the algorithm 
presented in [T7] . 

Furthermore, as we are concerned with precisely describing abstraction only, we ignore 
extensions of GSTE algorithms such as backwards information flow and fairness constraints. 

5.1. Fundamental theorem of GSTE. Comparable to STE, GSTE model checking is 
based on the following: Instead of checking that for every trajectory graph, the antecedent 
implies the consequent, a unique weakest trajectory graph satisfying the antecedent is cal- 
culated. We call this graph the defining trajectory graph. 

To check whether a circuit simply satisfies an assertion graph, it suffices to check 
whether the defining trajectory graph satisfies the consequent part of the assertion graph. 

Before giving the definition of the defining trajectory graph, we first introduce the 
concept of the defining sequence graph. The defining sequence graph of an antecedent is the 
unique weakest sequence satisfying the antecedent and is defined as follows. 

Given an antecedent function ant : E — > GTEL, and an assignment of symbolic constants 
cj), we define the defining sequence graph of ant and 4>, written ^\ ant ] by: 

*[ ant ] (e) =*[ant(e) Jrtate 
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where 

m is 61 state (n) 



b, if m=n 
X, otherwise 



" fl and f 2 ] state [ J 1 J state state 



state 



*[/Wte, if^N^ 

X, otherwise 



Proposition 5.1. ^[ ant] is the weakest sequence graph satisfying ant and (ft. 

Proof. Trivial, by considering one edge at the time and induction on the structure of the 
antecedent at that edge. □ 

Given an antecedent function ant : E — > GTEL, a closure function F, and an assignment 
of symbolic constants (ft, we define the defining trajectory graph of ant, F and (ft, written 

U antl=F°(+[ant]) 
Proposition 5.2. t,[[ ant ]] is t/ie weakest trajectory graph satisfying ant. 

Proof. From F° being extensive, it follows directly that ^[ant] < F°(^[arat]), so ^[[ ant ]] |= 
ant. 

Suppose T is a trajectory graph satisfying ant, then ^[ani] < T. From monotonicity of 
F°, it follows that F°(ant) < F°(T). As T is a fixpoint of F° it follows that F°(ant) < T. □ 

Theorem 5.3 (Fundamental Theorem of GSTE). For each closure function F, assignment 
of symbolic constants (ft, and assertion graph G = (V, E, ant, cons), 

(*[ cons }< ^ant J) & F hsimpie G 

Proof. Directly from Proposition 15.21 □ 

The fundamental theorem of GSTE states that to check whether a circuit with closure 
function F satisfies an assertion graph, we only have to check that, for each (ft, the defining 
trajectory graph of F satisfies the consequent. 



5.2. GSTE Algorithm. The GSTE algorithm calculates a symbolic representation of the 
defining trajectory graph of an antecedent. Then, it checks whether this symbolic defining 
trajectory graph meets the consequent. 

We first present a scalar version of the algorithm. 



5.2.1. A scalar GSTE-algorithm. In (our version of the) scalar GSTE-algorithm, the defin- 
ing trajectory graph of the antecedent is calculated using the constructive version of Tarski's 
fixpoint theorem [13j. 

Proposition 5.4. For each S, the greatest fixpoint of the function F£ is equal to limit 
of the sequence = (F£) fc (T). Here, T represents the sequence graph with the same edges 
and vertices as E that gives value T to each circuit node at each edge. 
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Proof. A function is continuous if for all sequence do, d\, cfe, • • • such that di + \ < di holds: 

/(u \d k )= u 1/(4) 

feGN fceN 

The constructive version of Tarski's fixpoint theorem [13] states that the greatest fixpoint 
of a monotone and continuous function / on a complete lattice is given by: n / (T). 

fceN 

We will use this version of Tarski's fixpoint theorem to prove the proposition. First, 
we prove that each monotonic function on a finite domain is also continuous. Suppose / is 
continuous on a finite domain, and do, d\, d2, ■ ■ ■ is a sequence such that dj+i < di, then the 
sequence has a fixpoint d*, thus: 

/(U4) = /W 

fceN 

By monotonicity of /, also the sequence /(do), f{d\), /(cfo), ... is increasing, so the sequence 
has the fix-point /(d*) as well. So: 

U I /(d fc )=/(d*) 
fceN 

Therefore, F£ is both monotone and continuous. Thus: 

gfpA.F^(A) = n (F£) fc (T) = n i A* 

feeN fceN 

We prove by induction on k that A^ +1 < A^ for each k. 

The case for k = is trivial. The induction hypothesis is A| : +1 < A|\ We prove that 
A|' +2 < A^ +1 . The case for e is initial is trivial. Suppose e is not initial. Then, 

A fc+ 2 (e) 

= F£(Af +1 )(e) (Definition Af= +2 ) 

= F( E(e) U n next(A? +1 (i)) ) (Definition F°) 

iein(e) 

< F( S(e) U n next(A| : (i)) ) (Induction Hypothesis) 

iGin(e) 

= F°(A^ +1 )(e) (Defintion F£) 

= A|= +1 (e) (Definition Af +1 ) 

So, the sequence Aq , A^, A 2 will eventually reach a fixpoint A^. 
Thus: 

gfpA.F^(A) = A^ □ 

Definition 5.5 (Scalar GSTE-algorithm). Given an assertion graph G, and a closure func- 
tion F, the scalar GSTE-algorithm calculates for every <p the defining trajectory graph 

^ [[ ant ]] by calculating A* ' ant ' and checks whether 

*[ cons] < £[ an* ]] 

If this check fails for any (f> the algorithm returns False, otherwise it returns True. 

Proposition 5.6. The scalar algorithm is sound and complete with respect to the presented 
semantics for GSTE. 

Proof. Directly from the fundamental theorem of GSTE and Proposition 15.41 □ 
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Comparing with earlier presentation In [17] the fixpoint is calculated in a slightly 
different way. If we adjust the presentation to use the closure function F instead of a 
transition relation, the following sequence is defined for a given sequence graph X: 

F(£(e)), e is an initial edge 
T, otherwise 



r E (e) 



rt+i(e) = r fe(e) n F( S(e) U n next(A fc (i)) ) 

«£m(e) 

Proposition 5.7. For each S, = A^. 
Proof. By definition, 

A s (e)(n)=T 

{F(E(e)), e is initial 

F( S(e) U n next(A fc (i)) ), otherwise 
iein(e) 

We prove by induction on k that for each initial edge e, for each k, T? = F(£(e)). The base 
case is trivial. Now suppose for each initial edge e, rjr^e) = F(£(e)), then for an arbitrary 
initial edge e: 

If+i(e) 

= rf (e) n F( S(e) U . . . ) (Definition lf +1 ) 

= F(£(e)) n F( S(e) U . . . ) (Induction Hypothesis) 

= F(£(e)) (Property U,n) 

So, for each initial edge and k > 0, r^(e) = Af(e). 

We prove by induction on k that for each non- initial edge e, for each k > 0, 

rf(e) = Af(e) 

In the base-case, is equal to 1, 

rf(e) 



rg'(e) n F( S(e) U n next(r («)) (Definition rt +1 ) 

iein(e) " 1 



fe-f 

= T n F( S(e) U n next(T(i)) (Definition rf ) 

iGin(e) 

= F( S(e) U n next(T(i)) (Property n) 

iGin(e) 

= F( S(e) U n next(A (i)) (Definition A^) 

i£in(e) 

= Af (Definition Af ) 

Now suppose Ifc(e) = A^(e), then: 

rf +1 (e) 

= rf(e) n F(£(e) U n next (T fc (i)) (Definition rf +2 ) 

iGin(e) 

= Af(e) n F( S(e) U n next (A k (i)) (Induction Hypothesis) 

iGin(e) 

= Af (e) n Af +1 (e) (Definition Af * (e) ) 

= Af +1 (e) (Property n, A| +1 (e) < Af (e)) 

So, for each non-initial edge and A; > 0, rf(e) = Af(e). So, for k > 0, 1^ = Af. Thus, 

r? = A?. ' □ 
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5.2.2. A symbolic GSTE-algorithm. In actual implementations of GSTE, the above algo- 
rithm is implemented symbolically. That is, instead of calculating the defining trajectory 
graph for a specific valuation <f>, it calculates, using BDDs, a symbolic defining trajectory 
graph in terms of the symbolic constants in (p. 

Then, a BDD is constructed that specifies under which conditions on the symbolic 
constants the symbolic defining trajectory graph satisfies the consequent. If this BDD is 
equal to the logical constant True, the property is proven. Otherwise, the BDD indicates for 
which valuations of the symbolic constants the antecedent does not imply the consequent. 

6. Future Work 

Extension to the semantics for GSTE. There exist several extensions of the GSTE algorithm 
that considerably improve the algorithm's proving power. Examples of such extensions are 
precise nodes [18\ 115] and knots [7J. We would like to give semantic characterisations of 
these extensions. 

In |17[ \W[ 118] . a backwards algorithm for GSTE is described. Using this algorithm 
properties can be proven that depend on a backwards (that is, from outputs to inputs, 
and from time t + 1 to t) information flow. In \17\ [18] a semantics for this form of GSTE 
is given. The semantics is however not faithful as the algorithm is incomplete w.r.t. the 
semantics |17| . A faithful semantics for this form of GSTE could be a topic of future work. 

SAT-based GSTE model checking. The model checking algorithms for GSTE described in 
the current literature are based on BDDs. In previous work we described how a faithful 
semantics for STE [9] enabled us to construct a new SAT-based model checking algorithm 
for STE [8]. In the same way, our faithful semantics for GSTE could be used to construct 
a SAT-based model checking algorithm for GSTE. The aim would be to create a tool very 
much like satGSTE [14] that actually respects the GSTE semantics, so that it can possibly 
find all counter examples. In this way, the tool could be used seamlessly in conjunction 
with a GSTE model checker. 

Monitor circuits for GSTE assertion graphs. In [H [7J methods for automatic construction 
of monitor circuits for GSTE assertion graphs are described. 

The papers explain how monitor circuits can be used to quickly debug and refine GSTE 
specifications before trying to use, more labour intensive, GSTE model checking. 

The monitor circuits implement the V-semantics for GSTE. However, as explained in 
this paper, the GSTE model checking algorithms are not faithful to this semantics. There- 
fore, monitor circuits cannot be used to debug and refine assertion graphs that are true in 
the V-semantics, but yield a spurious counter-example when trying to prove them with a 
GSTE model checker. Future work could consist of constructing monitor circuits that can 
be used to debug and refine assertion graphs in this class. Here, the faithful semantics for 
GSTE can be used as a starting point. 
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Reasoning about GSTE assertion graphs. Using the construction of monitor circuits for 
GSTE assertion graphs, [5] describes two algorithms that can be used in compositional 
verification using GSTE. The first algorithm decides whether one assertion graph implies 
another. The second algorithm can be used to model check an assertion graph under the 
assumption that another assertion graph is true. 

The algorithms, and the corresponding soundness and completeness proofs, are based 
on the V-semantics. Therefore, as the algorithms are based on GSTE model checking, the 
methods are incomplete when abstraction is used. A possible direction for future work is 
explaining how the GSTE abstraction affects the completeness of the algorithms. 

7. CONCLUSION 

The semantics for GSTE given in |17[ [18] are not faithful to the proving power of 
GSTE model checking algorithms, that is, the algorithms are incomplete with respect to 
the semantics. The reason is that the the semantics do not capture the abstraction used in 
GSTE precisely. 

The abstraction used in GSTE makes it hard to understand why a specific property 
can, or cannot, be proven by GSTE. The semantics mentioned above cannot help the user 
in doing so. So, in the current situation, users of GSTE often have to revert to the GSTE 
algorithm to understand why a property can or cannot be proven by GSTE. 

In this paper, we have presented a semantics for GSTE that is faithful to the proving 
power of the main GSTE model checking algorithm. We believe that this semantics is an 
important contribution to the research on GSTE for at least two reasons. 

First of all, a faithful semantics makes GSTE more accessible to novice users: a faithful 
semantics enables users to understand the abstraction used in GSTE, without having to 
understand the details of the model checking algorithm. 

Furthermore, a faithful semantics for GSTE can be used as basis for research on new 
GSTE model checking algorithms and other GSTE tools. To illustrate this, in previous 
work [8], we described a new SAT-based model checking algorithm for STE and proven 
that it is sound and complete w.r.t. to our faithful semantics for STE presented in [9]. 
Without a faithful semantics for STE, we would have been forced to prove the correctness 
of our algorithm by relating it to other model checking algorithms for STE. This is clearly 
a more involved and less elegant approach. In fact, we believe that without constructing a 
faithful semantics for STE first, we would not have obtained the level of understanding of 
STE needed to develop the new SAT-based model checking algorithm. 

In the same way, we expect that the faithful semantics for GSTE presented in this 
paper will open the door for new research on GSTE model checking algorithms and other 
GSTE tools. 

Acknowledgements. Thanks to Tom Melham, Mary Sheeran, Rachel Tzoref, and the anony- 
mous referees for commenting on earlier drafts of this paper. 
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